HighProventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, Proventia Network MFS, BlackICE Server Protection, Virtual Server Protection for Vmware:
This signature detects the loading of the FoxPro FPOLE.OCX or FoxPro FOXTLIB.OCX ActiveX control that an attacker could use to exploit a stack-based buffer overflow to execute arbitrary code on the victim's computer.
High
Proventia Desktop: 2120, Proventia Network IPS: XPU 27.110, Proventia Server IPS for Linux technology: 27.110, BlackICE PC Protection: 3.6cqr, RealSecure Server Sensor: XPU 27.110, RealSecure Network: XPU 27.110, Proventia-G 1.1 and earlier: XPU 27.110, Proventia Network IDS: XPU 27.110, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: XPU 27.110, BlackICE Server Protection: 3.6.cqr, IBM Security Server Protection for Windows: 1.0.914.2120, Virtual Server Protection for Vmware: 1.0
Microsoft Internet Explorer: 5.01, Microsoft Internet Explorer: 6.0, Microsoft Visual FoxPro: 6.0, Microsoft Internet Explorer: 6.0 SP1, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Internet Explorer: 7.0, Microsoft Windows Vista, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows XP: SP2 x64 Professional
Unauthorized Access Attempt
The Microsoft Visual FoxPro ActiveX control is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the FoxDoCmd function. By persuading a victim to visit a malicious Web page using Internet Explorer, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
milw0rm.com [2007-09-06]
Microsoft Visual FoxPro 6.0 (FPOLE.OCX v. 6.0.8450.0) Remote PoC
http://milw0rm.com/exploits/4369
Microsoft Security Bulletin MS08-010
Cumulative Security Update for Internet Explorer (944533)
http://www.microsoft.com/technet/security/bulletin/ms08-010.mspx
IBM Internet Security Systems Protection Alert - Feb. 12, 2008
Microsoft Visual FoxPro FPOLE.OCX ActiveX Control Buffer Overflow
http://www.iss.net/threats/286.html
Microsoft Security Bulletin MS08-024
Cumulative Security Update for Internet Explorer (947864)
http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
Microsoft Security Bulletin MS08-031
Cumulative Security Update for Internet Explorer (950759)
http://www.microsoft.com/technet/security/Bulletin/MS08-031.mspx
Microsoft Security Bulletin MS08-045
Cumulative Security Update for Internet Explorer (953838)
http://www.microsoft.com/technet/security/bulletin/ms08-045.mspx
Microsoft Security Bulletin MS08-058
Cumulative Security Update for Internet Explorer (956390)
http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
ISS X-Force
Microsoft Visual FoxPro FPOLE.OCX ActiveX control buffer overflow
http://www.iss.net/security_center/static/36496.php
CVE
CVE-2007-4790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4790